High (weird) udp packet loss with SO and suricata IDS
86 views
Skip to first unread message
Maurizio Barbaro
Jun 23, 2016, 6:14:46 PM6/23/16
to security-onion, gilleser...@outlook.com
Hello,
We are using suricata included in security onion 14.04.04 in IDS mode for a while now, and we are facing a problem on packets that are dropped with moderate network traffic (around 150-200 Mbit7s).
In few words we are using suricata to watch mainly two types of packets the SIP one and the UDP one, and observing the server when working, all our SIP packets passed well through IDS to the next server, but more than 70 % of our UDP packets are dropped between the internet network and snort.
our suricata is in IDS mode, with pfring, in VMware environment esxi with input interfaces in passthrough.
Server hosting VMWare ESXi is an HP proliant DL360 gen8, with 16 x 2,5 GHz Intel Xeon E5-2570 cpus. Network interfaces are 1GBit/s running.
Suricata input are eth11 and eth4 that are connected with linux bridge, with eth1 and eth10 respectively.
We will be thankfull to hear from you what is happening. For that we have attached our sostat and netstat -i output .
thank you in advance.
Gilles & Maurizio.
We are using suricata included in security onion 14.04.04 in IDS mode for a while now, and we are facing a problem on packets that are dropped with moderate network traffic (around 150-200 Mbit7s).
In few words we are using suricata to watch mainly two types of packets the SIP one and the UDP one, and observing the server when working, all our SIP packets passed well through IDS to the next server, but more than 70 % of our UDP packets are dropped between the internet network and snort.
our suricata is in IDS mode, with pfring, in VMware environment esxi with input interfaces in passthrough.
Server hosting VMWare ESXi is an HP proliant DL360 gen8, with 16 x 2,5 GHz Intel Xeon E5-2570 cpus. Network interfaces are 1GBit/s running.
Suricata input are eth11 and eth4 that are connected with linux bridge, with eth1 and eth10 respectively.
We will be thankfull to hear from you what is happening. For that we have attached our sostat and netstat -i output .
thank you in advance.
Gilles & Maurizio.
Doug Burks
Jun 25, 2016, 10:06:57 AM6/25/16
to securit...@googlegroups.com
Hi Maurizio,
Based on a quick look at your sostat.txt, I'm not immediately seeing
any packet loss issues. Where exactly are you measuring 70% packet
loss?
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Based on a quick look at your sostat.txt, I'm not immediately seeing
any packet loss issues. Where exactly are you measuring 70% packet
loss?
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Reply all
Reply to author
Forward
0 new messages